ISO 27001:2022 A 8.9 Configuration management

Configuration Management is the process of maintaining systems, such as computer hardware and software, in a desired state. Configuration Management is also a method of ensuring that systems perform in a manner consistent with expectations over time.s a governance and systems engineering process used to track and control IT resources and services across an enterprise.Configuration Management helps prevent undocumented changes from working their way into the environment. By doing so, CM can help prevent performance issues, system inconsistencies, or compliance issues that can lead to regulatory fines and penalties. Over time, these undocumented changes can lead to system downtime, instability, or failure. When properly implemented, configuration management ensures that an organization knows how its technology assets are configured and how those items relate to one another.Configuration management ensure hardware, software, services, and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.The control is regarding configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime. Roles, responsibilities, and procedures should be in place to ensure satisfactory control of all configuration changes.

Utilizing a Configuration Management system helps avoid problems that occur when hardware and software systems are improperly configured. Simply tracking changes can help avoid expensive remediation projects down the road. CM is insurance you pay for today so you can prevent issues tomorrow. For example, Configuration Management helps ensure the development, test, and production environments are the same, so that deployed applications will behave in the manner that is expected of them.When problems do occur, CM can re-create the environment where an error occurred, or can replicate an environment to ease scaling and migration of workloads either on-premises or between clouds.Configuration Management tools use scripting to automate these administrative tasks, and enable rapid provisioning of servers, VMs and containers to the desired state in minutes, rather than days or weeks. A Configuration management system allows the enterprise to define settings in a consistent manner, then to build and maintain them according to the established baselines. A configuration management plan should include a number of tools that:

• Enable classification and management of systems in groups
• Make centralized modifications to baseline configurations
• Push changes automatically to all affected systems to automate updates and patching
• Identify problem configurations that are underperforming or non-compliant
• Automate prioritization of actions needed to remediate issues
• Apply remediation when needed.

The configuration management process begins with gathering information including configuration data from each application and the network topology. Secrets such as encryption keys and passwords should be identified so they can be encrypted and stored safely. Once collected, configuration data should be loaded into files that become the central repository of the desired state – the single version of the truth. Once data has been collected the organization can establish a baseline configuration, which should be a known good configuration that can perform its intended operations without bugs or errors. Typically this baseline is established by noting the configuration of the working production environment and storing those configuration settings as the baseline. When the baseline has been established, the organization should adopt a version control system. Many organizations utilize Git to create a repository of configuration data for this purpose. Auditing and accounting help to ensure that any changes that are applied to the configuration are reviewed by stakeholders and accepted, ensuring accountability and visibility into configuration changes.

Control

Configurations, including security configurations, of hardware, software, services and networks should be established, documented, implemented, monitored and reviewed.

Purpose

To ensure hardware, software, services and networks function correctly with required security settings, and configuration is not altered by unauthorized or incorrect changes.

ISO 27002 Implementation Guidance

General
The organization should define and implement processes and tools to enforce the defined configurations (including security configurations) for hardware, software, services (e.g. cloud services) and networks, for newly installed systems as well as for operational systems over their lifetime. Roles, responsibilities and procedures should be in place to ensure satisfactory control of all configuration changes.
Standard templates
Standard templates for the secure configuration of hardware, software, services and networks should be defined:

1. using publicly available guidance (e.g. pre-defined templates from vendors and from independent security organizations);
2. considering the level of protection needed in order to determine a sufficient level of security;
3. supporting the organization’s information security policy, topic-specific policies, standards and other security requirements;
4. considering the feasibility and applicability of security configurations in the organization’s context.

The templates should be reviewed periodically and updated when new threats or vulnerabilities need to be addressed, or when new software or hardware versions are introduced. The following should be considered for establishing standard templates for the secure configuration of hardware, software, services and networks:

1. minimizing the number of identities with privileged or administrator level access rights;
2. disabling unnecessary, unused or insecure identities;
3. disabling or restricting unnecessary functions and services;
4. restricting access to powerful utility programs and host parameter settings;
5. synchronizing clocks;
6. changing vendor default authentication information such as default passwords immediately after installation and reviewing other important default security-related parameters;
7. invoking time-out facilities that automatically log off computing devices after a predetermined period of inactivity;
8. verifying that licence requirements have been met

Managing configurations
Established configurations of hardware, software, services and networks should be recorded and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as configuration databases or configuration templates. Changes to configurations should follow the change management process . Configuration records can contain as relevant:
a) up-to-date owner or point of contact information for the asset;
b) date of the last change of configuration;
c) version of configuration template;
d) relation to configurations of other assets.

Monitoring configurations
Configurations should be monitored with a comprehensive set of system management tools (e.g. maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths and assess activities performed. Actual configurations can be compared with the defined target templates. Any deviations should be addressed, either by automatic enforcement of the defined target configuration or by manual analysis of the deviation followed by corrective actions.

Other information

Documentation for systems often records details about the configuration of both hardware and software. System hardening is a typical part of configuration management. Configuration management can be integrated with asset management processes and associated tooling. Automation is usually more effective to manage security configuration (e.g. using infrastructure as code). Configuration templates and targets can be confidential information and should be protected from unauthorized access accordingly.

Configurations – whether acting as a single config file, or a group of configurations linked together – are the underlying parameters that govern how hardware, software and even entire networks are managed. As an example, a firewall’s configuration file will hold the baseline attributes that the device uses to manage traffic to and from an organisation’s network, including block lists, port forwarding, virtual LANs and VPN information.Configuration management is an integral part of an organisation’s broader asset management operation. Configurations are key in ensuring that a network is not only operating as it should be, but also in securing devices against unauthorised changes or incorrect amendments on the part of maintenance staff and/or vendors. Established configurations of hardware, software, services, and networks should be recorded, and a log should be maintained of all configuration changes. These records should be securely stored. This can be achieved in various ways, such as through configuration databases or configuration templates. Configurations should be monitored with a comprehensive set of system management tools (e.g., maintenance utilities, remote support, enterprise management tools, backup and restore software) and should be reviewed on a regular basis to verify configuration settings, evaluate password strengths, and assess activities performed. This control maintains risk by establishing a series of policies that govern how an organisation documents, implements, monitors and reviews the use of configurations across its entire network.

On the whole, organisation’s need to draft and implement configuration management policies for both new systems and hardware, and any that are already in use. Internal controls should include business critical elements such as security configurations, all hardware that holds a configuration file and any relevant software applications or systems. Organisations are to consider all relevant roles and responsibilities when implementing a configuration policy, including the delegated ownership of configurations on a device-by-device, or application-by-application basis.Where possible, organisations should use standardized templates to secure all hardware, software and systems. Templates should:

• Attempt to utilize publicly available, vendor-specific and/or open source guidance on how best to configure hardware and software assets.
• Meet minimum security requirements for the device, application or system that they are applicable to.
• Work in harmony with the organisation’s broader information security efforts, including all relevant ISO controls.
• Keep in mind the organisation’s unique business requirements – especially where security configurations are concerned – including how feasible it is to apply or manage a template at any given time.
• Be reviewed at appropriate intervals in order to cater for system and/or hardware updates, or any prevailing security threats.

Security is paramount when applying configuration templates, or amending existing templates in line with the above guidance.When considering standard templates for use across the organisation, in order to minimize any information security risks organisations should:

• Keep the number of users with administrator privileges to a minimum.
• Disable any unused or unnecessary identities.
• Closely monitor access to maintenance programs, utility applications and internal settings.
• Ensure that clocks are synchronised in order to log configuration correctly, and assist in any future investigations.
• Immediately change any default passwords or default security settings that are supplied with any device, service or application.
• Implement a default logoff period for any devices, systems or applications that have been left dormant for a specified period of time.
• Ensure that all licensing requirements have been met .

An organisation has a responsibility to maintain and store configurations, including keeping an audit trail of any amendments or new installations, in line with a published change management process.Logs should contain information that outlines:

• Who owns the asset.
• A timestamp for the latest configuration change.
• The current version of the configuration template.
• Any relevant information that explains the assets relationship with configurations held on other devices or systems.

Organisations should deploy a wide range of techniques to monitor the operation of configuration files across their network, including:

• Automation.
• Specialized configuration maintenance programs.
• Remote support tools that auto-populate configuration information on a device-by-device basis.
• Enterprise device and software management utilities that are designed to monitor large amounts of configuration data at once.
• BUDR software that automatically backs up configurations to a secure location, and restores templates either remotely or onsite to compromised and/or malfunctioning devices.

Organisations should configure specialized software to track any changes in a device’s configuration, and take appropriate action to address the amendment as soon as possible, either by validating the change or reverting the configuration back to its original state.

Whether intentional or unintentional, changes are commonplace in IT infrastructures. Managers deploy and install software updates, end users or administrators change configuration settings intentionally or unintentionally, managers introduce new applications and systems with vigor … and so on. When such decisions are made in haste, security considerations are often “left out of the equation.” As a result, implementations are made quickly and without regard to change/release processes in order to meet deadlines and schedules.Even if IT systems have defined settings during the initial installation, deviations occur over time. It is usually difficult to keep track of the changes that lead to a configuration deviation via standard measures such as the widely used group policies. As a result, a management tool that provides a comprehensive and transparent overview becomes necessary. This allows an IT department to effectively monitor the situation and also take appropriate action if necessary. The best way to deal with configuration deviations is to strictly organize configuration management. In addition to this organizational measure, it is also imperative to technically monitor the actual, implemented configuration. The combination of regular and effective monitoring at the technical and process levels helps to create comprehensive security awareness and to keep the IT infrastructure under control. Another plus point is that evidence for internal and external audits is generated almost as a side effect. The best way to detect and, in the best case, prevent configuration deviations of IT systems consists of a multi-stage process.

1. Identify: The initial configuration must be clear. Often, compliance departments and/or information security officers know existing internal and external security requirements. Existing industry standards and vendor recommendations also help in the evaluation.
2. Evaluate, develop and adapt: Are existing IT systems configured to meet the specifications of internal and external recommendations and requirements? What differences exist? Which systems deviate – regularly, if necessary – from the specifications? On the basis of stringent reporting, it is possible to develop and also implement a standardized, proprietary (hardening) configuration.
3. Control: During the lifetime of IT systems, which can be several years, continuous – ideally automated – monitoring is necessary. This enables deviations in the configuration to be detected. Questions to be asked here could be the following:
   • Does monitoring of all IT systems take place after implementation?
   • Are configuration deviations visualized transparently so that a rapid response is possible?
   • Does “automated self-healing” take place under certain circumstances?
4. Establish processes: If deviations are detected, appropriate measures must be taken as quickly as possible. While this usually works on demand in small companies, larger companies with a strong separation of responsibilities need established and tested processes! For example, these things need to be clarified:
   • How can a configuration deviation be detected?
   • How quickly is the configuration deviation corrected?
   • To which person or persons do you report the deviations?
   • What do the regular reports look like?

Configuration Management is not an end in itself, but an important IT measure. One that ensures that a stringent and standardized hardening of IT systems is performed and controlled. System hardening is known to configure operating systems, applications, cloud solutions and more to better protect them. Data espionage, ransomware attempts and other cyber attacks can be averted in this way or, optimally, fizzle out because the typical attack surfaces have been reduced in size. In order to carry out a system hardening efficiently, a check is required first. This determines the status quo of the system hardening.

The configuration of an IT Asset is a representation of the system’s components, how each component is configured, and how the components are connected or arranged to implement the asset. A misconfiguration may affect the security posture of the asset and infrastructure. The activities involved in managing the configuration process include planning, identification, establishment of the baseline configuration, change control, configuration monitoring and reporting. IT Asset Custodians must inventory, document, monitor and manage IT Assets for which they are responsible. For each asset, the susceptibility to risk or exploit and the required level of protection required to comply with policies and standards must be determined. Risk level is determined by the IT Asset Custodian based on factors including, but not limited to:
• the sensitivity and risk of harm to individuals if the IT Asset or High Risk/Moderate Risk data is subject to a breach or unauthorized disclosure.
• failure or loss of availability of a critical business function.
• loss of productivity or other negative impacts to resources.

IT Asset documentation and risk assessment information shall be made available to the CISO upon request.

CONFIGURATION MANAGEMENT REQUIREMENTS IN INFORMATION SECURITY
IT Asset Custodians must ensure that data is properly protected, and IT Assets are properly hardened, monitored, and managed from initial installation, through configuration, maintenance, and support, to end-of-life decommissioning according to Configuration Management controls.
I] Configuration Management Policy and Procedures
The CISO is responsible for establishing Configuration Management policies and standards that apply to enterprise and distributed IT Assets. Information security manager is responsible for ensuring appropriate configuration management within the organization to ensure the infrastructure is secure and resilient.

II] Configuration Management Plan
Each IT Asset Custodian must develop, document, and implement a Configuration Management Plan for IT Assets that:

• addresses configuration management roles, responsibilities, standards, processes, and procedures.
• establishes a process for identifying configuration items throughout the system development life cycle (SDLC), and ensures they align with established policies, standards, processes, and procedures.
• protects the Configuration Management Plan from unauthorized disclosure and modification.

III] IT Asset Inventory
IT Asset Custodians are responsible for establishing and maintaining an accurate, detailed, and up-to-date inventory of all IT Assets and asset components (devices, applications, operating systems, networks, etc.) connected to the infrastructure (physically, virtually, remotely, within cloud environments, etc.). This includes relevant hardware/software/system specific component information such as Unit, IT Asset Custodian, location, manufacturer, device type, model, serial number, version number, machine name, hardware address and specifications, software license information, software version numbers, etc. IT Asset Custodians must maintain an inventory of IT Assets and IT Asset components:
1) Develop and document an inventory of IT Asset components that

• accurately reflects the current IT Assets for which the IT Asset Custodian is responsible
• includes information necessary to achieve effective infrastructure component accountability and proper management
• is at the level of granularity deemed necessary for tracking and reporting.

2) Review and update the component inventory as an integral part of installation, removal, and updates.
3) Ensure that only currently supported and authorized IT Assets are connected to the infrastructure unless an exception is approved according to the Request for Exception to IT Policy.
4) Employ mechanisms to detect the presence of unauthorized hardware, software, and firmware. The IT Asset Custodian must take action when unauthorized components are detected, such as disabling network access for such components, isolating the components, or notifying authorized points of contact.

IV] Baseline Configurations
Baselines are documented, formally reviewed and agreed-upon sets of specifications that ensure that IT Assets are properly configured and hardened to reduce vulnerabilities. Hardening includes removing superfluous programs, account functions, applications, ports, permissions, access, or other configuration changes to reduce attackers’ ability to gain unauthorized access to the IT environment. Types of hardening activities include application hardening, operating system hardening, server hardening, database hardening and network hardening. Baseline configurations may also be used to create master configuration images (golden images), with required configuration settings already in place. An example of a golden image is a configuration with approved base operating system settings that can be rolled out to all virtual machines/workstations in the unit. Baseline configurations serve as a basis for future builds, releases, and changes to university systems, system components, and networks. IT Asset Custodians are responsible for selecting and tailoring appropriate security control baselines for all IT Assets, based on the criticality and sensitivity of the information to be processed, stored, or transmitted by the system. Baseline configurations must be updated as needed to ensure system upgrades, patches or other significant changes are addressed according to compliance requirements identified by the IT Vulnerability Management Standard. Existing baseline configurations must be reviewed at least annually to ensure they are still applicable.

V] Configuration Change Control
Configuration change control is the documented process for managing and controlling changes to the configuration of a system. Configuration change control includes, but is not limited to:

• changes to Baseline configurations for components and configuration items of IT Assets.
• changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices).
• unscheduled/unauthorized changes.
• changes to remediate vulnerabilities.

IT Asset Custodians must ensure proper configuration change control:

• determine the types of changes to an information system or IT Asset that impact configuration.
• review proposed configuration changes and approve or disapprove with explicit consideration for security impact analysis and document change decisions.
• properly test, validate, and document planned changes prior to implementation of approved changes.
• coordinate and provide oversight for change control activities through a change control entity that convenes regularly.
• Retain previous configurations and records of changes for the life of the system or IT Asset to support audit, incident response and historical information.
• audit and review activities associated with configuration changes to the information system or IT Asset, including audit logs and rollback procedures.

VI] Security Impact Analysis
Each IT Asset Custodian must analyze planned changes to an information system or IT Asset to determine potential security impacts prior to change implementation. Security impact analysis may include reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Analyses are scaled in accordance with the security requirements of the IT Asset. IT Asset Custodians must ensure proper testing of configuration changes. Whenever possible, changes should be tested in a separate environment which is physically or logically isolated from the operational environment. After implementation, implemented changes must be verified to ensure that functions are implemented correctly, operating as intended, and producing the desired outcome to meet the security requirements of the system.

VII] Access Restrictions for Change
IT Asset Custodians must define, document, approve, and enforce physical and logical access restrictions associated with changes to an information system or IT Asset. Only qualified and authorized individuals are provided access to information system components for purposes of initiating changes, including upgrades and modifications. Audit trails or change logs must be maintained to ensure that configuration change control is being implemented as intended and to support periodic audits.

VIII] Configuration Settings
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters include registry settings; account, file, and directory permission settings; and settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for IT Assets. The established settings become part of the configuration Baseline. Each IT Asset Custodian must maintain appropriate configuration settings:

• establish, document, and implement configuration settings for information technology products employed within the information system, that reflect the most restrictive mode consistent with operational requirements.
• identify, document, and approve any deviations from established configuration settings.
• monitor and control changes to configuration settings in accordance with policies

IX] Least Functionality
The principle of least functionality provides that information systems and IT Assets are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that asset. IT Asset Custodians must ensure IT Assets are configured to restrict access through least functionality:

• configure IT Assets to provide only essential capabilities with respect to their relative security. At least annually, review the use of functions, ports, protocols, and services. Identify and disable or eliminate those deemed unnecessary, unused or detrimental to the system or business.
• identify and remove/disable unauthorized and/or non-secure functions, ports, protocols, services, and applications.
• limit component functionality to a single function per device (e.g. database server, web server, etc.), where feasible.
• When a device with elevated security controls is used to access IT Assets in locations deemed to be high risk, predefined security safeguards should be applied prior to joining it to the production network.

X] Software Usage Restrictions
Each IT Asset Custodian must ensure proper management of software:\

• use software (and associated documentation) in accordance with contractual agreements and copyright laws; and track the use of software protected for quantity licenses.
• strictly prohibit the use of peer-to-peer file sharing technology.
• establish, monitor, and enforce policies, standards and compliance governing the installation of software by end users.
• establish restrictions on the use of open-source software (OSS).

XI] User-installed Software
To maintain control over the types of software installed, IT Asset Custodians must identify permitted and prohibited actions regarding software installation. Permitted software installations may include updates and security patches to existing software and downloading applications from organization-approved “app stores.” Prohibited software installations may include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. User-installed software must require privileged status.

XII] Incident Reporting
It is the responsibility of each staff, contractor, or visitor to immediately report suspected or confirmed Information Security and Privacy Incidents to the Chief Information Security Officer (CISO)